Recently, wireless mesh networks attract more and more attention, e.g. for remote control of illumination systems, building automation, monitoring applications, sensor systems and medical applications. In particular, a remote management of outdoor luminaires, so-called telemanagement, becomes increasingly important. On the one hand, this is driven by environmental concerns, since telemanagement systems enable the use of different dimming patterns, for instance as a function of time, weather conditions or season, allowing a more energy-efficient use of the outdoor lighting system. On the other hand, this is also driven by economical reasons, since the increased energy efficiency also reduces operational costs. Moreover, the system can remotely monitor power usage and detect lamp failures, which allows for determining the best time for repairing luminaires or replacing lamps.
Current radio-frequency (RF) based wireless solutions use either a star network topology or a mesh network topology. In a star network, a central controller has a direct wireless communication path to every node in the network. However, this typically requires a high-power/high-sensitivity base-station-like central controller to be placed at a high location (e.g. on top of a building), which makes the solution cumbersome to deploy and expensive. In a mesh network, the plurality of nodes does in general not communicate directly with the central controller, but via so-called multi-hop communications. In a multi-hop communication, a data packet is transmitted from a sender node to a destination node via one or more intermediate nodes. Nodes act as routers to transmit data packets from neighboring nodes to nodes that are too far away to reach in a single hop, resulting in a network that can span larger distances. By breaking long distances in a series of shorter hops, signal strength is sustained. Consequently, routing is performed by all nodes of a mesh network deciding, to which neighboring node the data packet is to be sent. Hence, a mesh network is a very robust and stable network with high connectivity and thus high redundancy and reliability.
In FIG. 1, a typical wireless network with mesh topology is shown. The wireless network comprises of a central controller 60 and a plurality of nodes 10 (N) being connected among each other by wireless communication paths 40 in a mesh topology. The wireless communication paths 40 between the nodes 10 can be constituted by RF transmissions. For this, the nodes 10 and the central controller 60 can comprise a transceiver for transmitting or receiving data packets via wireless communication paths 40, e.g. via RF transmission. In the backend, a service center 80 is situated and serves for system management. This entity normally communicates with one or more wireless networks over a third party communication channel, such as the Internet or mobile communication networks or other wired or wireless data transmission systems. In particular, the service center 80 communicates with a central controller 60 of a corresponding network as a commissioning tool in charge of controlling or configuring this network. In case of a lighting system or any other large wireless network, a network can also be divided into segments, so that a node 10 belongs to exactly one segment having one segment controller 60. Therefore, the terms “segment controller” and “central controller” should be seen as exchangeable throughout this description.
Within the mesh network, any pair of nodes 10 can communicate with each other over several hops by means of a routing protocol. For security reasons, all nodes 10 of the network may share a common key K for authentication that is used to verify hop-by-hop, whether the data packet originates from a network node 10 or from an interfering node. Therefore, if a sender node 10 sends a message to a destination node 10 via an intermediate node 10, the sender node 10 can protect the message at MAC (Media Access Control) layer. Here, protection refers to the provision of basis security services such as authentication, integrity, freshness or even confidentiality by means of a standard block cipher mode such as AES-CCM (Advance Encryptions Standard in CCM mode). To this end, the sender node 10 can for instance take the message and attach it to at least one a MIC (Message Integrity Code) generated with the AES-CCM, the common key K, and a counter C associated to the sender node and used to ensure message freshness. Upon reception of this message, the intermediate node 10 will proceed to decode the message using the key K and verify message integrity using the MIC and message freshness based on the counter C. If all verifications are successful, the intermediate node 10 will protect the message again as done by the sender node 10 and forward it to the destination node 10.
If each node 10 in the mesh network verifies the authenticity using the key K and the freshness based on the counter C of a forwarded message, a basic network protection can be provided. However, this does not cover two important situations, in which the network is very vulnerable and can be fully broken by a denial of service attack (DoS attack). The first problem is related to a commissioning phase of the network, wherein not all nodes 10 of the network have been successfully commissioned yet. Therefore, not all nodes 10 have the key K used to realize hop-by-hop security. Yet, during commissioning, a plurality of messages has to be exchanged with the segment controller 60 or even with the service center 80, so that the problem of security arises. Thus, an attacker might send fake commissioning messages overloading the network. By way of example, it can be assumed that nodes A and B have already joined the network and thus know about the common key K, while nodes C and D still have to join the network and are not yet successfully commissioned (not knowing about K). In case that node A or node B have to forward commissioning messages from nodes C or D, nodes A and B cannot check, whether these commissioning messages are authentic and fresh, since nodes C and D did not use the key K. Therefore, in this situation, an attacker might send lots of commissioning messages breaking the network and leading to denial of service. It should be noted that this problem does not only arise in the very beginning of the network set-up, but e.g. also when adding new nodes 10 to a network. Thus, nodes 10 being in different operating states or phases, represent a serious security problem to the network.
The second security problem arises due to limited regional knowledge of the single nodes 10. In general, due to the strict memory limitations of a node 10, a node 10 cannot store all counters C or the like for all other nodes 10 of the network. Therefore, an attacker might for instance eavesdrop on a communication link on one side of the network and replay those messages in other parts of the network. This is called “wormhole attack” and illustrated in FIG. 2. In FIG. 2, a node A eavesdrops on a communication in network part 1 and sends it through a wormhole link (arrow) to node B in network part 2 for replaying the message in network part 2 or vice versa. One effect of such an attack is that all nodes 10 in network part 1 assume that nodes 10 in network part 2 are the neighbored nodes and vice versa. As a result, this affects routing and other connectivity based protocols in the network. In addition, if the new “routes” are established and the data traffic in the network starts using the shortcut through the wormhole link, the wormhole nodes A and B can start dropping data packets and cause network disruption. Moreover, although the counter C corresponding to a node 10 of network part 1 is not known by the nodes 10 in network part 2, the nodes 10 in network part 2 will just forward all replayed messages, since the message integrity code MIC can be verified. Hence, an attack can result in blocking all messages coming from network part 2 by means of messages generated in network part 1.
WO 2009/031112 A2 relates to a node and a method for establishing distributed security architecture for a wireless network.